This malware server was "adjusted" by angels:-)) to be accessed from global↓ ↑We call it Blackhole Landing Page (assumed is ver2) Then we downloaded all of the data in the malware server into our local drive: The files we grabbed in total:

FINISHED --00:59:09--Downloaded: 317,468 bytes in 51 files

And here we are ready to analyze one by one :-)

BHEK2 Landing Page of js.js Infectors...

This server is meant to infect malware served by Blackhole EK v2, functioned as a landing page with some infectors lead to js.js, the name of directories are randomized for the usage of "one-click" infection method. Link to the js.js can be found in the "random-named" sub directories, with below PoC:

Plugin Detect access infector...

There is one html file called postinfo.html which is having links that goes to the BHEK PluginDetect, (which the PluginDetect) server looks already taken down.. Well, the postinfo.html has the evil code like this↓